Announcing Microsoft BitLocker Administration and Monitoring (MBAM)

So what is MBAM?  MBAM builds on the BitLocker technology in Windows 7 by offering an enterprise solution for BitLocker provisioning, monitoring and key recovery.   MBAM will be made available as part of the Microsoft Desktop Optimization Pack (also known as MDOP).  The goals of the product are to simplify provisioning and deployment of BitLocker, improve compliance reporting on BitLocker status and use, and reduce support costs through better help desk tools and making it easier for an end user to interact with BitLocker.

MBAM will be available to SA customers through the Microsoft Desktop Optimization Pack at a future date.  A Beta version will be available to the public in March 2011.  Customers can sign up here to be notified when the beta is available. 

Here’s a bit more detail on the benefits of MBAM:

Simplify Provisioning and Deployment

  • Integrates into existing Windows 7 deployment process: Organizations can integrate the MBAM client into their task sequence setup in System Center Configuration Manager/ Microsoft Deployment Toolkit or their other Windows 7 deployment tools.  The client then automates the encryption process as part of the deployment.
  • End Users Can Start the Encryption Process: For organizations that deploy MBAM after they have deployed Windows 7, the MBAM agent provides a standard user the ability to start the encryption process.   This enhances the BitLocker out of box experience where the end user must have administrative rights to accomplish this.
  • Target only the hardware you want to encrypt: IT Professionals can exclude hardware by make and model, making sure that only machines capable of meeting the encryption policy are encrypted.

Improve Compliance and Reporting

  • Know how compliant the organization is: Security administrators and IT Professionals can understand which machines are encrypted and meet the organizational policy through out of the box reports.
  • More secure recovery key storage: IT Professionals have an alternative to storing BitLocker recovery key information in Active Directory.  Machines with the MBAM client will send BitLocker recovery key information to an encrypted SQL database.

Reduce Support Costs

  • Streamline key recovery for the help desk:   MBAM provides a web page that allows the help desk to quickly get the user’s recovery key if they get into BitLocker recovery mode.  The help desk no longer needs access to Active Directory when the organization is using MBAM.
  • Use a recovery key only once: When a recovery key is retrieved and used, the MBAM client will automatically generate a new recovery key for that PC so that the original key cannot be used to gain access to the machine again
  • Empower end users to do the basics:   MBAM allows an end user with standard user rights to perform basic BitLocker tasks like changing their PIN or start the encryption process which saves them from calling the help desk.